The second prompt nobody should have to answer
You've already signed in this morning. Your laptop knows who you are; your company knows who you are. Then you click into the finance app and it asks again — a different password, or one you reset last month and can't remember, or a login screen you've never seen because someone provisioned the account for you back in the spring and you're only opening it now. So you file a ticket. Someone checks a spreadsheet. Twenty minutes evaporate before any real work happens. Multiply that by every internal tool and every person, and you have a permanent, invisible tax on a scaling company.
Underneath it sit two familiar failure modes. The first is password sprawl: a separate credential for each app, each one a support ticket and a soft security hole waiting to happen. The second is quieter and worse: access drift. Access gets granted once, written down somewhere, and then reality moves. People change teams, projects end, a contractor's engagement lapses. The written-down grant stays where it was, so the list of who-can-open-what slowly stops matching the list of who-should. Nobody decides that. It accumulates on its own, and it's the exact material a breach is made of.
Both problems predate AI. What made us pick identity for a design sprint is the new actor that's arrived on top of them.

